Jun 5th 2025
AI-created, human-edited.
The landscape of cybersecurity research has taken a dramatic turn with OpenAI's latest o3 model achieving something unprecedented: discovering a previously unknown, critical vulnerability in the Linux kernel. This development has profound implications for both security researchers and the broader tech industry, as discussed in a recent episode of Security Now with hosts Steve Gibson and Leo Laporte.
Security researcher Sean Healan made headlines when he used OpenAI's o3 model to uncover a zero-day vulnerability in Linux's SMB (Server Message Block) protocol implementation. What makes this discovery particularly significant is that it wasn't found through traditional vulnerability research methods, but through AI-powered code analysis.
The vulnerability, catalogued as CVE-2025-37-899, is a "use-after-free" flaw in the handler for SMB logoff commands. This type of vulnerability occurs when a program continues to use memory after it has been freed, potentially allowing attackers to execute arbitrary code with kernel-level privileges.
As Leo Laporte astutely observed during the podcast, AI's ability to find critical flaws is "inherently a mixed blessing." While the technology empowers security researchers to discover vulnerabilities before malicious actors can exploit them, it also potentially arms bad actors with the same capabilities.
Steve Gibson emphasized this concern, noting that "the bad guys never appear to suffer from any lack of motivation" to discover problems. This reality underscores the urgency for legitimate security researchers to leverage AI tools proactively.
Sean Healan, whose credentials include a Master's in Computer Science from Oxford and expertise in automated vulnerability research, used nothing more than OpenAI's o3 API to make this discovery. No complex scaffolding, no agentic frameworks—just direct interaction with the AI model.
The breakthrough came during benchmark testing, where Healan was evaluating o3's ability to rediscover known vulnerabilities. In the process, the AI identified a novel flaw that Healan hadn't previously discovered in his manual analysis.
The results speak volumes about AI's advancing capabilities:
OpenAI's o3: Successfully identified the benchmark vulnerability in 8 out of 100 attemptsClaude Sonnet 3.7: Found it in only 3 out of 100 runsClaude Sonnet 3.5: Failed to detect it in 100 attemptsWhile an 8% success rate might seem modest, it represents a significant leap forward in AI-powered vulnerability detection.
Gibson provided an excellent explanation of why this type of vulnerability is so dangerous. In concurrent programming environments, multiple threads often need to share access to common objects. When these objects aren't properly managed through reference counting, one thread might free memory that another thread is still using.
This creates a classic "use-after-free" scenario where:
Memory is allocated for a shared objectMultiple threads obtain pointers to this objectOne thread frees the memory while others still hold pointersSubsequent access to the freed memory can lead to arbitrary code executionHealan's assessment of o3's capabilities is particularly noteworthy. He emphasizes that while AI won't replace expert vulnerability researchers, it can make them "significantly more efficient and effective." His key insight: if you have a problem representable in fewer than 10,000 lines of code, there's a reasonable chance o3 can either solve it or help you solve it.
Gibson's long-term vision is compelling: eventually, AI could enable the release of vulnerability-free code by providing perfect pre-release verification. In such a scenario, it wouldn't matter if bad actors also had access to AI vulnerability discovery tools, because there would be no vulnerabilities left to exploit.
While we're not there yet, the progress demonstrated by o3 suggests this future may be closer than previously thought.
This development has several immediate implications:
Security Teams: Should begin incorporating AI tools into their vulnerability research workflowsDevelopers: Need to be more vigilant about concurrent programming practicesOrganizations: Must accelerate adoption of AI-powered security testingThe Broader Tech Community: Should prepare for an arms race in AI-powered security researchAs Gibson noted, while significant advancements continue to be made in AI capabilities, the challenge remains managing the high false-positive rate. O3's current performance shows a signal-to-noise ratio that requires human expertise to filter through results effectively.
However, as these ratios improve over time, we're likely to see AI become an indispensable component of cybersecurity research and defense strategies.
The discovery of a Linux kernel zero-day by OpenAI's o3 model represents more than just a technical achievement—it's a preview of the future of cybersecurity. As Leo Laporte suggested, while we're not quite there yet, "signs point to yes" for AI becoming a game-changer in vulnerability research.
The question isn't whether AI will transform cybersecurity, but how quickly organizations will adapt to this new paradigm. Those who embrace these tools early will likely have significant advantages in the ongoing battle between security researchers and malicious actors.
Share: Copied! Security Now #1028Jun 3 2025 - AI Vulnerability Hunting
The End of Jailbreaking All Tech posts Contact Advertise CC License Privacy Policy Ad Choices TOS Store Twitter Facebook Instgram YouTube Yes, like every site on the Internet, this site uses cookies. So now you know. Learn more Hide Home Schedule Subscribe Club TWiT About Club TWiT FAQ Access Account Members-Only Podcasts Update Payment Method Connect to Discord TWiT Blog Recent Posts Advertise Sponsors Store People About What is TWiT.tv Tickets Developer Program and API Tip jar Partners Contact Us